From 48cb038635b0508cc6c1218d3d23fb8ccd6551fe Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Thu, 25 May 2017 17:07:57 -0400 Subject: Push to the registry via dns Configures OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc Adds 'cluster.local' to dns search on nodes via dispatcher script Adds '.svc' to NO_PROXY defaults --- roles/openshift_facts/library/openshift_facts.py | 1 + roles/openshift_master/templates/atomic-openshift-master.j2 | 3 +++ roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh | 3 +++ 3 files changed, 7 insertions(+) diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index cfe092a28..0788ddfb0 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1654,6 +1654,7 @@ def set_proxy_facts(facts): common['no_proxy'].extend(common['no_proxy_internal_hostnames'].split(',')) # We always add local dns domain and ourselves no matter what common['no_proxy'].append('.' + common['dns_domain']) + common['no_proxy'].append('.svc') common['no_proxy'].append(common['hostname']) common['no_proxy'] = ','.join(sort_unique(common['no_proxy'])) facts['common'] = common diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 6e2439fd9..2cf784fe9 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,5 +1,8 @@ OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} CONFIG_FILE={{ openshift_master_config_file }} +{% if openshift_use_dnsmasq | default(true) %} +OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 +{% endif %} {% if openshift.common.is_containerized | bool %} IMAGE_VERSION={{ openshift_image_tag }} {% endif %} diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index 24798d3d2..c68073a10 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -96,6 +96,9 @@ EOF if ! grep -q '99-origin-dns.sh' ${NEW_RESOLV_CONF}; then echo "# nameserver updated by /etc/NetworkManager/dispatcher.d/99-origin-dns.sh" >> ${NEW_RESOLV_CONF} fi + if ! grep -q 'search.*cluster.local' ${NEW_RESOLV_CONF}; then + sed -i '/^search/ s/$/ cluster.local/' ${NEW_RESOLV_CONF} + fi cp -Z ${NEW_RESOLV_CONF} /etc/resolv.conf fi fi -- cgit v1.2.3 From 7ec50feb584e45359fd21d9c78635aae9a995a18 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Fri, 26 May 2017 11:58:20 -0400 Subject: Add openshift_node_dnsmasq role to upgrade --- playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml | 1 + playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml | 1 + roles/openshift_node_upgrade/tasks/main.yml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index bb294cc57..c18c49d7b 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -296,6 +296,7 @@ - openshift_facts - docker - openshift_node_upgrade + - openshift_node_dnsmasq post_tasks: - name: Set node schedulability diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml index 91dbc2cd4..35a50cf4e 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml @@ -34,6 +34,7 @@ - openshift_facts - docker - openshift_node_upgrade + - openshift_node_dnsmasq - role: openshift_excluder r_openshift_excluder_action: enable r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" diff --git a/roles/openshift_node_upgrade/tasks/main.yml b/roles/openshift_node_upgrade/tasks/main.yml index d44839d69..8eaa68cc9 100644 --- a/roles/openshift_node_upgrade/tasks/main.yml +++ b/roles/openshift_node_upgrade/tasks/main.yml @@ -147,3 +147,6 @@ # Give the node two minutes to come back online. retries: 24 delay: 5 + +- include_role: + name: openshift_node_dnsmasq -- cgit v1.2.3 From 9bb460dcf947aec01fdf02d3ef6690d609fa2b18 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 13 Jun 2017 12:30:22 -0400 Subject: Disable actually pushing to the registry via dns for now We need to sort out how to know that the registry certificate has the proper hostnames attached to it. It will for 3.6 clean installs but not for 3.5 to 3.6 upgrades. For now make it opt in and come back to this. --- roles/openshift_master/templates/atomic-openshift-master.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 2cf784fe9..6c9e1336a 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,6 +1,6 @@ OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} CONFIG_FILE={{ openshift_master_config_file }} -{% if openshift_use_dnsmasq | default(true) %} +{% if openshift_use_dnsmasq | default(true) and openshift_push_via_dns | default(false) %} OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 {% endif %} {% if openshift.common.is_containerized | bool %} -- cgit v1.2.3 From 6fbc26e857146cbbee32b8df66b65fdd66730dab Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Fri, 16 Jun 2017 13:14:39 -0400 Subject: Enable push to registry via dns only on clean 3.6 installs We cannot assume that 3.5 to 3.6 upgrades were signed with the correct certs --- roles/openshift_master/tasks/main.yml | 3 +++ roles/openshift_master/templates/atomic-openshift-master.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 035c15fef..630d70a7e 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -128,6 +128,9 @@ when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != '' with_items: "{{ openshift.master.identity_providers }}" +- set_fact: + openshift_push_via_dns: "{{ openshift_use_dnsmasq | default(true) and openshift.common.version_gte_3_6 and r_openshift_master_clean_install }}" + - name: Install the systemd units include: systemd_units.yml diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 6c9e1336a..156bb49d6 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,6 +1,6 @@ OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} CONFIG_FILE={{ openshift_master_config_file }} -{% if openshift_use_dnsmasq | default(true) and openshift_push_via_dns | default(false) %} +{% if openshift_push_via_dns %} OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 {% endif %} {% if openshift.common.is_containerized | bool %} -- cgit v1.2.3 From f62ca64ccf58b013e4c38143036b05c76ee6f80c Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Mon, 19 Jun 2017 21:30:58 -0400 Subject: Update atomic-openshift-master.j2 --- roles/openshift_master/templates/atomic-openshift-master.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2 index 156bb49d6..850fae0e4 100644 --- a/roles/openshift_master/templates/atomic-openshift-master.j2 +++ b/roles/openshift_master/templates/atomic-openshift-master.j2 @@ -1,6 +1,6 @@ OPTIONS=--loglevel={{ openshift.master.debug_level | default(2) }} CONFIG_FILE={{ openshift_master_config_file }} -{% if openshift_push_via_dns %} +{% if openshift_push_via_dns | default(false) %} OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 {% endif %} {% if openshift.common.is_containerized | bool %} -- cgit v1.2.3